Malware Blog 2025- 2026 2025 2024 2023 2022 2021 2020 2019 2018
APT blog Attack blog BigBrother blog BotNet blog Cyber blog Cryptocurrency blog Exploit blog Hacking blog ICS blog Incident blog IoT blog Malware blog OS Blog Phishing blog Ransom blog Safety blog Security blog Social blog Spam blog Vulnerebility blog
| 20.12.25 | Uncovering Hidden Forensic Evidence in Windows: The Mystery of AutoLogger-Diagtrack-Listener.etl | FortiGuard IR uncovers forensic insights in Windows AutoLogger-Diagtrack-Listener.etl, a telemetry artefact with untapped investigative value. | Malware blog | FORTINET |
| 20.12.25 | Stealth in Layers: Unmasking the Loader used in Targeted Email Campaigns | CRIL has identified a commodity loader being leveraged by various threat actors in targeted email campaigns. | Malware blog | |
| 20.12.25 | GachiLoader: Defeating Node.js Malware with API Tracing | The YouTube Ghost Network is a malware distribution network that uses compromised accounts to promote malicious videos and spread malware, such as infostealers. | Malware blog | CHECKPOINT |
| 20.12.25 | Amadey Exploiting Self-Hosted GitLab to Distribute StealC | Discover how Amadey loader abuses compromised self-hosted GitLab infrastructure to distribute StealC infostealer, evading security controls through trusted platforms. | Malware blog | Trelix |
| 20.12.25 | The Fake Domain Controller You Didn’t See Coming: Detecting DCShadow Attacks Using Trellix NDR | Understanding how DCShadow works and how to detect it is critical for protecting your identity infrastructure, whether you're a SOC analyst, Active Directory administrator, or member of a red team or incident response function. | Malware blog | Trelix |
| 13.12.25 | Deceptive Layoff-Themed HR Email Distributes Remcos RAT Malware | Over the past few months, job economy has been marked by uncertainty, with constant news about layoffs, restructuring, hiring freezes, and aggressive cost-cutting measures. This atmosphere has created widespread anxiety among both employees and organizations, and cybercriminals have quickly... | Malware blog | |
| 13.12.25 | NexusRoute: Attempting to Disrupt an Indian Government Ministry | EXECUTIVE SUMMARY At CYFIRMA, we are committed to offering up-to-date insights into prevalent threats and tactics employed by malicious actors, targeting both organizations | Malware blog | |
| 13.12.25 | Understanding SalatStealer: A Threat Actor’s Golang Stealer Toolset | This week, SonicWall Capture Labs Threat Research Team analyzed a sample of SalatStealer. This is a Golang malware capable of infiltrating a system and enumerating through browsers, files, cryptowallets and systems while embedding a complete array of monitoring tools to push and pull any data on disk. | Malware blog | SonicWall |
| 13.12.25 | Underground Sharp Infostealer Dev Sells Modded Gremlin Source Code | The SonicWall Capture Labs Threat Research Team has recently been tracking infostealer malware stemming from the Sharp malware family. While analyzing a variant of Sharp infostealer, we came across a reference to a Telegram channel that leads to a person claiming to be the developer of this malware. | Malware blog | SonicWall |
| 13.12.25 | Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite | In recent months, we have been analyzing the activity of an advanced persistent threat (APT) known for its espionage activities against Arabic-speaking government entities. We track this Middle Eastern threat actor as Ashen Lepus (aka WIRTE). | Malware blog | Palo Alto |
| 13.12.25 | Cracking ValleyRAT: From Builder Secrets to Kernel Rootkits | Check Point Research (CPR) presents a full dissection of the widely used ValleyRAT backdoor, also known as Winos/Winos4.0, covering its modular architecture and plugin system. | Malware blog | CHECKPOINT |
| 7.12.25 | Analysing a malvertising attack targeting business Google accounts intercepted by Push | Our browser-based security platform recently intercepted a malvertising attack against Push customers. This attack was notable in that it used malvertising via Google Search as the delivery vector, circumventing email-based security controls. Here’s our breakdown. | Malware blog | PUSHSECURITY |
|
6.12.25 |
FortiGuard Labs discovered new Symbiote and BPFDoor variants exploiting eBPF filters to enhance stealth through IPv6 support, UDP traffic, and dynamic port hopping for covert C2 communication. |
|||
|
6.12.25 |
SEEDSNATCHER : Dissecting an Android Malware Targeting Multiple Crypto Wallet Mnemonic Phrases |
EXECUTIVE SUMMARY At Cyfirma, we are committed to providing up-to-date insights into current threats and the tactics used by malicious actors targeting both organizations |
||
|
6.12.25 |
Tracking RondoDox: Malware Exploiting Many IoT Vulnerabilities |
This month, we are looking into a relatively new threat actor who is attempting to distribute the RondoDox malware. It’s an interesting collection of residential IP addresses used for distribution, multi-platform malware, and shell scripts, along with intense targeting of IoT devices. |
||
| 29.11.25 | Check Point researchers uncover a large-scale Android adware campaign that silently drains resources and disrupts ... | Malware blog | CHECKPOINT | |
| 29.11.25 | RelayNFC: The New NFC Relay Malware Targeting Brazil | CRIL uncovers RelayNFC, a malware leveraging Near-Field Communication (NFC) to intercept and relay contactless payment data. | Malware blog | Cyble |
| 29.11.25 | Underground Sharp Infostealer Dev Sells Modded Gremlin Source Code | The SonicWall Capture Labs Threat Research Team has recently been tracking infostealer malware stemming from the Sharp malware family. While analyzing a variant of Sharp infostealer, we came across a reference to a Telegram channel that leads to a person claiming to be the developer of this malware. | Malware blog | SonicWall |
| 29.11.25 | "Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack (Updated November 26) | Unit 42 researchers investigated a renewed npm-focused compromise, in a campaign dubbed Shai-Hulud 2.0. This was first reported in early November 2025. | Malware blog | Palo Alto |
| 15.11.25 | The prevalence of obfuscation and multi-stage layering in today’s malware often forces analysts into tedious and manual debugging sessions. For instance, the primary challenge of analyzing pervasive commodity stealers like AgentTesla isn’t identifying the malware, but quickly cutting through the obfuscated delivery chain to get to the final payload. | Malware blog | Google Threat Intelligence | |
| 15.11.25 | Security brief: VenomRAT is defanged | VenomRAT is a commodity remote access trojan (RAT) used by multiple cybercriminal threat actors. Around since 2020 but first observed in Proofpoint data in 2022, VenomRAT was used most frequently by the hotel and hospitality targeting threat actor TA558. The malware is based on the open-source malware Quasar RAT. VenomRAT is essentially a clone of Quasar RAT with some extra components bolted on from other sources. | Malware blog | PROOFPOINT |
| 15.11.25 | Operation Endgame Quakes Rhadamanthys | Rhadamanthys is a prominent malware observed since 2022, used by multiple cybercriminal threat actors. | Malware blog | PROOFPOINT |
| 15.11.25 | Increase in Lumma Stealer Activity Coincides with Use of Adaptive Browser Fingerprinting Tactics | In this blog entry, Trend™ Research analyses the layered command-and-control approaches that Lumma Stealer uses to maintain its ongoing operations while enhancing collection of victim-environment data. | Malware blog | Trend Micro |
| 15.11.25 | Covert AutoIt Campaign Delivering Infostealers and RATs | Recently, the SonicWall Capture Labs threat research team has identified a new campaign delivering infostealer payloads using malicious AutoIt scripts along with the AutoIt interpreter. The campaign was observed delivering various payloads including Snake Stealer, XWorm, and Remcos RAT. | Malware blog | SonicWall |
| 15.11.25 | A Look At RondoDox ARM Malware | This week, the SonicWall Capture Labs Threat Research Team analyzed a sample of RondoDox, a Linux botnet infector. This malware is often paired with Mirai, and once installed on a victim system, it accepts C2 commands and can perform system reconnaissance while joining botnet DDoS activities. It has several methods of evading detection along with anti-debugging capabilities. | Malware blog | SonicWall |
| 8.11.25 | Key Highlights XLoader 8.0 malware is one of the most evasive and persistent information stealers ... | Malware blog | CHECKPOINT | |
| 8.11.25 | LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices | Unit 42 researchers have uncovered a previously unknown Android spyware family, which we have named LANDFALL. To deliver the spyware, attackers exploited a zero-day vulnerability (CVE-2025-21042) in Samsung’s Android image processing library. The specific flaw LANDFALL exploited, CVE-2025-21042, is not an isolated case but rather part of a broader pattern of similar issues found on multiple mobile platforms. | Malware blog | Palo Alto |
| 1.11.25 | Tracking an evolving Discord-based RAT family | RL's analysis of an STD Group-operated RAT yielded file indicators to better detect the malware and two YARA rules. | Malware blog | REVERSINGLABS |
| 1.11.25 | Weaponized Military Documents Deliver Advanced SSH-Tor Backdoor to Defense Sector | Military-themed lure targeting using weaponized ZIPs and hidden tunneling infrastructure | Malware blog | Cyble |
| 1.11.25 | Investigation Report: Android/BankBot-YNRK Mobile Banking Trojan | Investigation Report: Android/BankBot-YNRK Mobile Banking Trojan Executive Summary This report covers the analysis and findings related to three Android application packages (APKs) | Malware blog | Cyfirma |
| 1.11.25 | HijackLoader Delivered via SVG files | The SonicWall Capture Labs threat research team has recently been monitoring new variants of the HijackLoader malware that are being delivered through SVG files. | Malware blog | SonicWall |
| 25.10.25 | GHOSTGRAB ANDROID MALWARE | Sophisticated Android malware that mines crypto and silently steals banking credentials. EXECUTIVE SUMMARY CYFIRMA is dedicated to providing advanced warning and strategic | Malware blog | Cyfirma |
| 25.10.25 | Proofpoint releases innovative detections for threat hunting: PDF Object Hashing | The PDF format is widely used by threat actors to kickstart malicious activity. In email campaigns, Proofpoint researchers observe PDFs distributed in many ways. | Malware blog | PROOFPOINT |
| 25.10.25 | Fast, Broad, and Elusive: How Vidar Stealer 2.0 Upgrades Infostealer Capabilities | Trend™ Research examines the latest version of the Vidar stealer, which features a full rewrite in C, a multithreaded architecture, and several enhancements that warrant attention. Its timely evolution suggests that Vidar is positioning itself to occupy the space left after Lumma Stealer’s decline. | Malware blog | Trend Micro |
| 25.10.25 | Shifts in the Underground: The Impact of Water Kurita’s (Lumma Stealer) Doxxing | A targeted underground doxxing campaign exposed alleged core members of Lumma Stealer (Water Kurita), resulting in a sharp decline in its activity and a migration of customers to rival infostealer platforms. | Malware blog | Trend Micro |
| 25.10.25 | Dissecting YouTube’s Malware Distribution Network | Check Point Research uncovered and analyzed the YouTube Ghost Network, a sophisticated and coordinated collection of malicious accounts operating on YouTube. These accounts systematically take advantage of YouTube’s features to promote malicious content, ultimately distributing malware while creating a false sense of trust among viewers. | Malware blog | CHECKPOINT |
| 25.10.25 | BeaverTail and OtterCookie evolve with a new Javascript module | Cisco Talos has uncovered a new attack linked to Famous Chollima, a threat group aligned with North Korea (DPRK). | Malware blog | CISCO TALOS |
| 25.10.25 | SnakeStealer: How it preys on personal data – and how you can protect yourself | Here’s what to know about the malware with an insatiable appetite for valuable data, so much so that it tops this year's infostealer detection charts | Malware blog | Eset |
| 18.10.25 | Tracking Malware and Attack Expansion: A Hacker Group’s Journey across Asia | FortiGuard Labs has tracked a hacker group expanding attacks from China to Malaysia, linking campaigns through shared code, infrastructure, and tactics. | Malware blog | FORTINET |
| 18.10.25 | GhostBat RAT: Inside the Resurgence of RTO-Themed Android Malware | GhostBat RAT resurfaces via fake RTO apps, stealing banking data, mining crypto, and registering devices through Telegram bots—targeting Indian Android users. | Malware blog | Cyble |
| 18.10.25 | BombShell: The Signed Backdoor Hiding in Plain Sight on Framework Devices | One of our fears, as individuals who have spent years examining firmware security, is stumbling upon a vulnerability that reveals the fundamental flaws in our trust models. | Malware blog | Eclypsium |
| 18.10.25 | Shifts in the Underground: The Impact of Water Kurita’s (Lumma Stealer) Doxxing | A targeted underground doxxing campaign exposed alleged core members of Lumma Stealer (Water Kurita), resulting in a sharp decline in its activity and a migration of customers to rival infostealer platforms. | Malware blog | Trend Micro |
| 18.10.25 | PhantomVAI Loader Delivers a Range of Infostealers | Unit 42 researchers have been tracking phishing campaigns that use PhantomVAI Loader to deliver information-stealing malware through a multi-stage, evasive infection chain. | Malware blog | Palo Alto |
| 18.10.25 | BeaverTail and OtterCookie evolve with a new Javascript module | Cisco Talos has uncovered a new attack linked to Famous Chollima, a threat group aligned with North Korea (DPRK). | Malware blog | CISCO TALOS |
|
11.10.25 |
New Stealit Campaign Abuses Node.js Single Executable Application | A new Stealit campaign uses Node.js Single Executable Application (SEA) to deliver obfuscated malware. FortiGuard Labs details tactics and defenses. | Malware blog | FORTINET |
| 4.10.25 | Confucius Espionage: From Stealer to Backdoor | FortiGuard Labs has uncovered a shift in the tactics of threat actor Confucius, from stealers to Python backdoors, highlighting advanced techniques used in South Asian cyber espionage. Read more. | Malware blog | FORTINET |
| 4.10.25 | Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users | Trend™ Research has identified an active campaign spreading via WhatsApp through a ZIP file attachment. When executed, the malware establishes persistence and hijacks the compromised WhatsApp account to send copies of itself to the victim’s contacts. | Malware blog | Trend Micro |
| 4.10.25 | Rhadamanthys 0.9.x – walk through the updates | Rhadamanthys is a popular, multi-modular stealer, released in 2022. Since then, it has been used in multiple campaigns by various actors. Most recently, it is being observed in the ClickFix campaigns. | Malware blog | CHECKPOINT |
| 4.10.25 | XWorm V6: Exploring Pivotal Plugins | XWorm V6, a potent malware, has resurfaced with new plugins and persistence methods. Stay informed and enhance your defenses against evolving cyber threats. Protect your organization now! | Malware blog | Trelix |
| 27.9.25 | HeartCrypt’s wholesale impersonation effort | How the notorious Packer-as-a-Service operation built itself into a hydra | Malware blog | SOPHOS |
| 27.9.25 | CountLoader: Silent Push Discovers New Malware Loader Being Served in 3 Different Versions | Silent Push has discovered a new malware loader that is strongly associated with Russian ransomware gangs that we are naming: “CountLoader.” | Malware blog | Silent Push |
| 27.9.25 | Google Threat Intelligence Group (GTIG) is tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the United States. | Malware blog | Google Threat Intelligence | |
| 27.9.25 | XCSSET evolves again: Analyzing the latest updates to XCSSET’s inventory | Microsoft Threat Intelligence has uncovered a new variant of the XCSSET malware, which is designed to infect Xcode projects, typically used by software developers building Apple or macOS-related applications. | Malware blog | Microsoft blog |
| 27.9.25 | Decrypting Gremlin: A Deep Dive Into The Info Stealer's Data Harvesting Engine | The SonicWall Capture Labs threat research team has recently been tracking the latest variants of Gremlin malware, a sophisticated .NET-based information stealer designed for comprehensive data exfiltration from infected Windows systems. | Malware blog | SonicWall |
| 27.9.25 | How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking | Talos discovered that a new PlugX variant’s features overlap with both the RainyDay and Turian backdoors | Malware blog | CISCO TALOS |
| 27.9.25 | ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices | Cisco is aware of new activity targeting certain Cisco Adaptive Security Appliances (ASA) 5500-X Series and has released three CVEs related to the event. We assess with high confidence this activity is related to same threat actor as ArcaneDoor in 2024. | Malware blog | CISCO TALOS |
| 27.9.25 | Watch out for SVG files booby-trapped with malware | What you see is not always what you get as cybercriminals increasingly weaponize SVG files as delivery vectors for stealthy malware | Malware blog | Eset |
| 20.9.25 | Self-replicating Shai-hulud worm spreads token-stealing malware on npm | RL researchers have detected the first self-replicating worm compromising popular npm packages with cloud token-stealing malware. | Malware blog | REVERSINGLABS |
| 20.9.25 | CountLoader: Silent Push Discovers New Malware Loader Being Served in 3 Different Versions | Silent Push has discovered a new malware loader that is strongly associated with Russian ransomware gangs that we are naming: “CountLoader.” | Malware blog | Silent Push |
| 20.9.25 | Advanced Queries For Real Malware Detection in Silent Push | The Silent Push platform is capable of powerful queries for threat hunting and preemptive discovery of malicious infrastructure. Our team uses this platform every day to proactively hunt and discover infrastructure for our customers, enabling blocking and discovery of threats before they are fully operationalized. | Malware blog | Silent Push |
| 20.9.25 | Inside Maranhão Stealer: Node.js-Powered InfoStealer Using Reflective DLL Injection | Vulnerabilities in SAP, Sophos, Adobe and Android were among the fixes issued by vendors during a very busy Patch Tuesday week. | Malware blog | Cyble |
| 20.9.25 | DeerStealer Malware Campaign: Stealth, Persistence, and Rootkit-Like Capabilities | Executive Summary At CYFIRMA, we are dedicated to providing current insights into prevalent threats and the strategies employed by malicious entities targeting both organizations | Malware blog | Cyfirma |
| 20.9.25 | UNMASKING A PYTHON STEALER – “XillenStealer” | EXECUTIVE SUMMARY Cyfirma’s threat intelligence assessment of XillenStealer identifies it as an open-source, Python-based information stealer publicly available on GitHub. The malware is designed to harvest sensitive system and user… | Malware blog | Cyfirma |
| 20.9.25 | "Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack (Updated September 19) | Palo Alto Networks Unit 42 is investigating an active and widespread software supply chain attack targeting the Node Package Manager (npm) ecosystem. | Malware blog | Palo Alto |
| 20.9.25 | Under the Pure Curtain: From RAT to Builder to Coder | Check Point Research conducted a forensic analysis of a ClickFix campaign that lured victims with fake job offers that resulted in an eight-day intrusion. | Malware blog | Checkpoint |
| 13.9.25 | MostereRAT Deployed AnyDesk/TightVNC for Covert Full Access | FortiGuard Labs uncovers MostereRAT’s use of phishing, EPL code, and remote access tools like AnyDesk and TightVNC to evade defenses and seize full system control. | Malware blog | FORTINET |
| 13.9.25 | Malware Campaign Leverages SVGs, Email Attachments, and CDNs to Drop XWorm and Remcos via BAT Scripts | Table of Content: Introduction Infection Chain Process Tree Campaign 1: – Persistence – BATCH files – PowerShell script – Loader – Xworm/Remcos Campaign 2 Conclusion IOCS Detections MITRE ATTACK TTPs Introduction: Recent threat campaigns have revealed an evolving use... | Malware blog | Seqrite |
| 6.9.25 | Unmasking SocGholish: Silent Push Untangles the Malware Web Behind the “Pioneer of Fake Updates” and Its Operator, TA569 | SocGholish, operated by TA569, actually functions as a Malware-as-a-Service (MaaS) vendor, selling access to compromised systems to various financially motivated cybercriminal clients. | Malware blog | Silent Push |
| 6.9.25 | IP Tagging in Silent Push: VPN, Proxy and Sinkhole Detection | Silent Push has uncovered a massive Internet Protocol Television (IPTV)-based piracy network that has been active for several years and is currently hosted across more than 1,000 domains and over 10,000 IP addresses. | Malware blog | Silent Push |
| 6.9.25 | Unmasked: Salat Stealer – A Deep Dive into Its Advanced Persistence Mechanisms and C2 Infrastructure | EXECUTIVE SUMMARY CYFIRMA has identified Salat Stealer (also known as WEB_RAT), a sophisticated Go-based infostealer targeting Windows systems. The malware exfiltrates browser credentials, cryptocurrency wallet data, and session | Malware blog | Cyfirma |
| 6.9.25 | Not Safe for Work: Tracking and Investigating Stealerium and Phantom Infostealers | Proofpoint researchers observed an increase in opportunistic cybercriminals using malware based on Stealerium, an open-source malware that is available “for educational purposes.” | Malware blog | PROOFPOINT |
| 6.9.25 | An MDR Analysis of the AMOS Stealer Campaign Targeting macOS via ‘Cracked’ Apps | Trend™ Research analyzed a campaign distributing Atomic macOS Stealer (AMOS), a malware family targeting macOS users. Attackers disguise the malware as “cracked” versions of legitimate apps, luring users into installation. | Malware blog | Trend Micro |
| 6.9.25 | LummaC Attacks Directly and Indirectly | This week, the SonicWall Capture Labs threat research team analyzed a sample of LummaC, a prolific infostealer. The multi-stage infection uses a combination of techniques to avoid detection, create persistence, and exfiltrate data using encryption and network methods. It is also built to resist analysis, with layers of obfuscation and code traps designed to break tools. | Malware blog | SonicWall |
| 6.9.25 | GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes | ESET researchers have identified a new threat actor targeting Windows servers with a passive C++ backdoor and a malicious IIS module that manipulates Google search results | Malware blog | Eset |
| 6.9.25 | XWorm’s Evolving Infection Chain: From Predictable to Deceptive | The Trellix Advanced Research Center has uncovered a new XWorm backdoor campaign using evolved deployment methods. Unlike previous versions, this campaign employs sophisticated, deceptive techniques to bypass detection. Moving beyond simple email attacks, it now uses authentic-looking .exe filenames and blends social engineering with technical attack vectors. | Malware blog | Trelix |
| 30.8.25 | SikkahBot Malware Campaign Lures and Defrauds Students in Bangladesh | Executive Summary Cyble Research and Intelligence Labs (CRIL) has uncovered an ongoing Android malware tracker named “SikkahBot,” active since July 2024 and explicitly targeting students in Bangladesh. | Malware blog | Cyble |
| 30.8.25 | UNVEILING A PYTHON STEALER – INF0S3C STEALER | EXECUTIVE SUMMARY Cyfirma’s threat intelligence assessment reveals Inf0s3c Stealer, a Python-based grabber designed to collect system information and user data. The executable | Malware blog | Cyfirma |
| 30.8.25 | TINKYWINKEY KEYLOGGER | EXECUTIVE SUMMARY At CYFIRMA, we are dedicated to providing timely intelligence on emerging cyber threats and adversarial tactics that target both individuals and organizations. | Malware blog | Cyfirma |
| 23.8.25 | Chihuahua Stealer: Disguising Data Theft in Plain Lyrics | A newly identified .NET-based infostealer, called Chihuahua Stealer, was first observed in April 2025. It has been distributed via malicious documents, often hosted on cloud storage platforms such as Google Drive or OneDrive. | Malware blog | Palo Alto |
| 23.8.25 | A Mega Malware Analysis Tutorial Featuring Donut-Generated Shellcode | We created an in-depth malware analysis tutorial featuring shellcode generated by a tool named Donut. The tutorial walks through a single infection chain from end to end, starting with a sample, and assuming no prior knowledge of the malware in question. | Malware blog | Palo Alto |
| 23.8.25 | New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer | Unit 42 researchers recently observed a shift in the delivery method in the distribution of DarkCloud Stealer and the obfuscation techniques used to complicate analysis. First seen in early April 2025, these new methods and techniques include an additional infection chain for DarkCloud Stealer. This chain involves obfuscation by ConfuserEx and a final payload written in Visual Basic 6 (VB6). | Malware blog | Palo Alto |
| 23.8.25 | The Silent, Fileless Threat of VShell | Malicious filename in a RAR archive to silently trigger Bash commands and drop a memory-only Vshell backdoor | Malware blog | Trelix |
| 17.8.25 | Lazarus Stealer : Android Malware for Russian Bank Credential Theft Through Overlay and SMS Manipulation | EXECUTIVE SUMMARY At CYFIRMA, we deliver actionable intelligence on emerging cyber threats impacting both individuals and organizations. This report analyzes a | Malware blog | Cyfirma |
| 17.8.25 | FAKE TELEGRAM PREMIUM SITE DISTRIBUTES NEW LUMMA STEALER VARIANT | Executive Summary CYFIRMA Threat Intelligence has observed an ongoing malicious campaign leveraging the domain ‘telegrampremium[.]app’, which fraudulently mimics the | Malware blog | Cyfirma |
| 17.8.25 | Malicous Packages Across Open-Source Registries: Detection Statistics and Trends (Q2 2025) | Malware threats continue to infiltrate open-source software registries. FortiGuard Labs’ Q2 2025 analysis reveals persistent tactics used in malicious NPM and PyPI packages, including credential theft, obfuscation, and install-time payloads. Learn how threat actors exploit OSS and how to stay protected. | Malware blog | FORTINET |
| 17.8.25 | New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer | Unit 42 researchers recently observed a shift in the delivery method in the distribution of DarkCloud Stealer and the obfuscation techniques used to complicate analysis. | Malware blog | Palo Alto |
| 17.8.25 | A Mega Malware Analysis Tutorial Featuring Donut-Generated Shellcode | We created an in-depth malware analysis tutorial featuring shellcode generated by a tool named Donut. The tutorial walks through a single infection chain from end to end, starting with a sample, and assuming no prior knowledge of the malware in question. | Malware blog | Palo Alto |
| 17.8.25 | Android Malware Campaign Mimics Indian Banks to Harvest Financial Credentials | The SonicWall Capture Labs threat research team has identified an ongoing Android banking malware campaign targeting users of Indian banks. The malware authors are leveraging phishing pages that closely resemble legitimate banking app interfaces by mimicking elements such as logos, layouts and design features to trick users into installing a malicious application. | Malware blog | SonicWall |
| 16.8.25 | What happened in Vegas (that you actually want to know about) | Hazel braves Vegas, overpriced water and the Black Hat maze to bring you Talos’ latest research — including a deep dive into the PS1Bot malware campaign. | Malware blog | CISCO TALOS |
| 16.8.25 | Malvertising campaign leads to PS1Bot, a multi-stage malware framework | Cisco Talos has observed an ongoing malware campaign that seeks to infect victims with a multi-stage malware framework, implemented in PowerShell and C#, which we are referring to as “PS1Bot.” | Malware blog | CISCO TALOS |
| 16.8.25 | Backdoors & Breaches: How Talos is helping humanitarian aid NGOs prepare for cyber attacks | In 2023, Cisco Talos and partners created a special Backdoors & Breaches card deck to help NGOs improve their cybersecurity skills with practical, easy-to-use training tailored to their needs. | Malware blog | CISCO TALOS |
| 16.8.25 | Android adware: What is it, and how do I get it off my device? | Is your phone suddenly flooded with aggressive ads, slowing down performance or leading to unusual app behavior? Here’s what to do. | Malware blog | Eset |
| 16.8.25 | SparkRAT: Exploiting Architectural Weaknesses in Open-Source Offensive Tools | SparkRAT is an open-source, freely available, and widely used Remote Access Trojan and C2 server, all of which led us to want to explore it further. | Malware blog | F5 |
| 16.8.25 | A Comprehensive Analysis of HijackLoader and its Infection Chain | HijackLoader, a stealthy loader which delivers a wide variety of payloads, has been found to be spreading using fake download links on various piracy websites as well as SEO poisoning using legitimate websites. I | Malware blog | Trelix |
| 16.8.25 | Exposing PathWiper: DCOM Abuse and Network Erasure | This blog explores how attackers used Distributed Component Object Model (DCOM) as a lateral movement technique to distribute PathWiper, and how Trellix Network Detection and Response (NDR) detects and visualizes such activities. | Malware blog | Trelix |
| 26.7.25 | Uncovering a Stealthy WordPress Backdoor in mu-plugins | Recently, our team uncovered a particularly sneaky piece of malware tucked away in a place many WordPress users don’t even know exists: the mu-plugins folder. In fact, back in March, we saw a similar trend with hidden malware in this very directory, as detailed in our post Hidden Malware Strikes Again: MU-Plugins Under Attack. This current infection was designed to be quiet, persistent, and very hard to spot. | Malware blog | blog.sucuri.net |
| 26.7.25 | Operation CargoTalon : UNG0901 Targets Russian Aerospace & Defense Sector using EAGLET implant. | Contents Introduction Initial Findings Infection Chain. Technical Analysis Stage 0 – Malicious Email File. Stage 1 – Malicious LNK file. Stage 2 – Looking into the decoy file. Stage 3 – Malicious EAGLET implant. Hunting and Infrastructure. Infrastructural details.... | Malware blog | Seqrite |
| 26.7.25 | RAVEN STEALER UNMASKED: Telegram-Based Data Exfiltration | EXECUTIVE SUMMARY Raven Stealer is a modern, lightweight, information-stealing malware developed primarily in Delphi and C++, designed to extract sensitive data from victim | Malware blog | Cyfirma |
| 26.7.25 | ANDROID MALWARE POSING AS INDIAN BANK APPS | ANDROID MALWARE POSING AS INDIAN BANK APPS EXECUTIVE SUMMARY At CYFIRMA, we are committed to delivering timely intelligence on emerging cyber threats and adversarial tactics | Malware blog | Cyfirma |
| 26.7.25 | EdskManager RAT: Multi-Stage Malware with HVNC and Evasion Capabilities | Executive Summary At CYFIRMA, we are dedicated to providing current insights into prevalent threats and the strategies employed by malicious entities targeting both organizations | Malware blog | Cyfirma |
| 26.7.25 | Back to Business: Lumma Stealer Returns with Stealthier Methods | Lumma Stealer has re-emerged shortly after its takedown. This time, the cybergroup behind this malware appears to be intent on employing more covert tactics while steadily expanding its reach. This article shares the latest methods used to propagate this threat. | Malware blog | Trend Micro |
| 26.7.25 | The Ηоmоgraph Illusion: Not Everything Is As It Seems | Since the creation of the internet, email attacks have been the predominant attack vector for spreading malware and gaining initial access to systems and endpoints. One example of an effective email compromise technique is a homograph attack. Attackers use this content manipulation tactic to evade content analysis and trick users by replacing Latin characters with similar-looking characters from other Unicode blocks. | Malware blog | Palo Alto |
| 26.7.25 | MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities | Cisco Talos uncovered a stealthy Malware-as-a-Service (MaaS) operation that used fake GitHub accounts to distribute a variety of dangerous payloads and evade security defenses. | Malware blog | CISCO TALOS |
| 26.7.25 | Rogue CAPTCHAs: Look out for phony verification pages spreading malware | Before rushing to prove that you're not a robot, be wary of deceptive human verification pages as an increasingly popular vector for delivering malware | Malware blog | Eset |
| 19.7.25 | RisePro Malware Assembles On-site | This week, the SonicWall Capture Labs threat research team analyzed a sample of RisePro malware. This is a Malware-as-a-Service family that excels in stealing data, especially related to cryptocurrency wallets. It is a multi-stage executable with layers of obfuscation, indirect API calls and extensive evasion capabilities in the form of dynamically built file types and process monitoring. | Malware blog | SonicWall |
| 19.7.25 | This is your sign to step away from the keyboard | This week, Martin shows how stepping away from the screen can make you a stronger defender, alongside an inside scoop on emerging malware threats. | Malware blog | CISCO TALOS |
| 19.7.25 | Unmasking AsyncRAT: Navigating the labyrinth of forks | ESET researchers map out the labyrinthine relationships among the vast hierarchy of AsyncRAT variants | Malware blog | Eset |
| 19.7.25 | NoBooze1 Malware Targets TP-Link Routers via CVE-2019-9082 | This month we dig into the CVE targeting volumes and trending observed in June 2025. We present a breakdown of the exploits targeting this month’s CVE with the largest upswing in activity: CVE-2023-1389 (TP-Link AX21). | Malware blog | F5 |
| 19.7.25 | Threat Analysis: SquidLoader - Still Swimming Under the Radar | A new wave of SquidLoader malware samples are actively targeting financial services institutions in Hong Kong. This sophisticated malware exhibits significant evasion capabilities, achieving near-zero detection rates on VirusTotal at the time of analysis. | Malware blog | Trelix |
| 16.7.25 | Unmasking AsyncRAT: Navigating the labyrinth of forks | ESET researchers map out the labyrinthine relationships among the vast hierarchy of AsyncRAT variants | Malware blog | Eset |
| 16.7.25 | Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader | North Korean threat actors deploy 67 malicious npm packages using the newly discovered XORIndex malware loader. | Malware blog | socket.dev |
| 16.7.25 | Russian hackers manipulate npm to make realistic packages | Safety’s malicious package detection identified a malicious npm package today named express-exp. This package was brand new, and had only one version, 1.0.1. | Malware blog | www.getsafety |
| 12.7.25 | Message from Wolf Bot | Since early June 2025, Arctic Wolf has observed a search engine optimisation (SEO) poisoning and malvertising campaign promoting malicious websites hosting Trojanized versions of legitimate IT tools such as PuTTY and WinSCP. | Malware blog | ARTICWOLF |
| 12.7.25 | Analysis of TAG-140 Campaign and DRAT V2 Development Targeting Indian Government Organizations | During an investigation into a recent TAG-140 campaign targeting Indian government organizations, Insikt Group identified a modified variant of the DRAT remote access trojan (RAT), which we designated as DRAT V2. | Malware blog | RECORDEDFUTURE |
| 12.7.25 | RENDERSHOCK: WEAPONIZING TRUST IN FILE RENDERING PIPELINES | EXECUTIVE SUMMARY RenderShock is a comprehensive zero-click attack strategy that targets passive file preview, indexing, and automation behaviours in modern operating systems and enterprise environments. It leverages built-in trust | Malware blog | Cyfirma |
| 12.7.25 | GitHub Abused to Spread Malware Disguised as Free VPN | EXECUTIVE SUMMARY At CYFIRMA, we continuously monitor and investigate emerging cyber threats targeting both organizations and individuals. In this report, we analysed a | Malware blog | Cyfirma |
| 12.7.25 | Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques | In late 2024, we discovered a malware variant related to the SLOW#TEMPEST campaign. In this research article, we explore the obfuscation techniques employed by the malware authors. We deep dive into these malware samples and highlight methods and code that can be used to detect and defeat the obfuscation techniques. | Malware blog | Palo Alto |
| 5.7.25 | DCRAT Impersonating the Colombian Government | Threat actor impersonates Colombian government to deliver DCRAT via phishing email, using obfuscation, steganography, and PowerShell payload chains. | Malware blog | FOTINET |
| 5.7.25 | DBatLoader Reloaded: Dual Injection and Resilience | The SonicWall Capture Labs threat research team has observed the latest variant of DBatLoader performing a dual injection of Remcos RAT, utilizing two distinct injection techniques. The malware is mainly known for delivering Remcos RAT, but also delivers other malware. | Malware blog | SonicWall |
| 5.7.25 | Windows Shortcut (LNK) Malware Strategies | Attackers are increasingly exploiting Windows shortcut (LNK) files for malware delivery. Our telemetry revealed 21,098 malicious LNK samples in 2023, which surged to 68,392 in 2024. In this article, we present an in-depth investigation of LNK malware, based on analysis of 30,000 recent samples. | Malware blog | Palo Alto |
| 4.7.25 | June's Dark Gift: The Rise of Qwizzserial | Discovered by Group-IB in mid-2024, the Qwizzserial, which was initially not very active, began to spread strongly in Uzbekistan, masquerading as legitimate applications. The malware steals banking information and intercepts 2FA sms, transmitting it to fraudsters via Telegram bots. | Malware blog | GROUP-IB |
| 2.7.25 | 10 Things I Hate About Attribution: RomCom vs. TransferLoader | Most of the time, delineating activities from distinct clusters and separating cybercrime from espionage can be done based on differing tactics, techniques, and procedures (TTPs), tooling, volume/scale, and targeting. | Malware blog | PROOFPOINT |
| 28.6.25 | Dissecting a Malicious Havoc Sample | Explore a detailed technical analysis of a Havoc Remote Access Trojan (RAT) variant used in a targeted cyberattack against Middle East critical national infrastructure. Learn how Fortinet detects and protects against Havoc-based threats. | Malware blog | FOTINET |
| 28.6.25 | ODYSSEY STEALER : THE REBRAND OF POSEIDON STEALER | EXECUTIVE SUMMARY The CYFIRMA research team has uncovered multiple websites employing Clickfix tactics to deliver malicious AppleScripts (osascripts). These scripts | Malware blog | Cyfirma |
| 28.6.25 | In the Wild: Malware Prototype with Embedded Prompt Injection | In this write-up we present a malware sample found in the wild that boasts a novel and unusual evasion mechanism — an attempted prompt injection (”Ignore all previous instructions…”) aimed to manipulate AI models processing the sample. | Malware blog | Checkpoint |
| 27.6.25 | DeepSeek Deception: Sainbox RAT & Hidden Rootkit Delivery | Netskope Threat Labs has discovered a campaign using fake installers to deliver the Sainbox RAT and Hidden rootkit. During our threat hunting activities, we encountered multiple installers disguised as legitimate software, including WPS Office, Sogou, and DeepSeek. | Malware blog | NETSKOPE |
| 25.6.25 | ConnectUnwise: Threat actors abuse ConnectWise as builder for signed malware | Since March 2025 there has been a noticeable increase in infections and fake applications using validly signed ConnectWise samples | Malware blog | G DATA |
| 25.6.25 | Exchange mutations. Malicious code in Outlook pages | In May 2024, specialists from the Incident Response team at the Positive Technologies Expert Security Center (PT Expert Security Center) discovered an attack using an unknown keylogger injected into the home page of a compromised Exchange Server. In 2025, | Malware blog | POSITIVE TECHNOLOGIES |
| 21.6.25 | Masslogger Fileless Variant – Spreads via .VBE, Hides in Registry | During our recent investigation at Seqrite Labs, we identified a sophisticated variant of Masslogger credential stealer malware spreading through .VBE (VBScript Encoded) files | Malware blog | Seqrite |
| 21.6.25 | Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication | Proofpoint has been closely monitoring a stealer malware formerly known as ACR Stealer. In 2025, Proofpoint analysts identified a new, unnamed malware exhibiting significant code overlap, shared features, and capabilities with ACR Stealer. | Malware blog | PROOFPOINT |
| 21.6.25 | VMDetector-Based Loader Abuses Steganography to Deliver Infostealers | Recently, the SonicWall Capture Labs threat research team has identified various malware strains being distributed through a custom VMDetector Loader. | Malware blog | SonicWall |
| 21.6.25 | Exploring a New KimJongRAT Stealer Variant and Its PowerShell Implementation | This article provides a comprehensive analysis of two new variants of the KimJongRAT stealer. We combine our new research findings with existing knowledge to provide a comprehensive resource for understanding and combating these new KimJongRAT variants. | Malware blog | Palo Alto |
| 21.6.25 | Fake Minecraft mods distributed by the Stargazers Ghost Network to steal gamers’ data | Check Point Research discovered a multistage campaign targeting Minecraft users via the distribution as a service (DaaS) Stargazers Ghost Network, which operates on GitHub. The malware impersonates, among others, Oringo and Taunahi, which are “Scripts & Macro” tools (a.k.a cheats). | Malware blog | Checkpoint |
| 21.6.25 | Famous Chollima deploying Python version of GolangGhost RAT | Learn how the North Korean-aligned Famous Chollima is using the a new Python-based RAT, "PylangGhost," to target cryptocurrency and blockchain jobseekers in a campaign affecting users primarily in India. | Malware blog | CISCO TALOS |
| 21.6.25 | Hidden Malware Discovered in jQuery Migrate: A Stealthy Supply Chain Threat | This blog breaks down how a commonly used JavaScript library was weaponized to deliver browser-based malware via compromised WordPress assets. | Malware blog | Trelix |
| 20.6.25 | Steam Account Checker Poisoned with Infostealer | I found an interesting script targeting Steam users. Steam is a popular digital distribution platform for purchasing, downloading, and playing video games on personal computers. The script is called "steam-account-checker" and is available in Github | Malware blog | SANS |
| 20.6.25 | Clone, Compile, Compromise: Water Curse’s Open-Source Malware Trap on GitHub | The Trend Micro™ Managed Detection and Response team uncovered a threat campaign orchestrated by an active group, Water Curse. The threat actor exploits GitHub, one of the most trusted platforms for open-source software, as a delivery channel for weaponized repositories. | Malware blog | Trend Micro |
| 14.6.25 | GoResolver: Using Control-flow Graph Similarity to Deobfuscate Golang Binaries, Automatically | In the course of its investigations, Volexity frequently encounters malware samples written in Golang. Binaries written in Golang are often challenging to analyze because of the embedded libraries and the sheer size of the resulting binaries. This issue is amplified when samples are obfuscated using tools such as Garble, an open-source Golang obfuscation tool. | Malware blog | VELOXITY |
| 14.6.25 | StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms | In mid-2023, Volexity detected and responded to multiple incidents involving systems becoming infected with malware linked to StormBamboo (aka Evasive Panda, and previously tracked by Volexity under “StormCloud”). | Malware blog | VELOXITY |
| 14.6.25 | DISGOMOJI Malware Used to Target Indian Government | In 2024, Volexity identified a cyber-espionage campaign undertaken by a suspected Pakistan-based threat actor that Volexity currently tracks under the alias UTA0137 | Malware blog | VELOXITY |
| 14.6.25 | Understanding CyberEYE RAT Builder: Capabilities and Implications | EXECUTIVE SUMMARY CyberEye (also distributed under names like TelegramRAT) is a modular, .NET-based Remote Access Trojan (RAT) that provides a wide array of surveillance and | Malware blog | Cyfirma |
| 14.6.25 | JSFireTruck: Exploring Malicious JavaScript Using JSF*ck as an Obfuscation Technique | We recently discovered a large-scale campaign that has been compromising legitimate websites with injected, obfuscated JavaScript code. | Malware blog | Palo Alto |
| 14.6.25 | From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery | Check Point Research uncovered an active malware campaign exploiting expired and released Discord invite links. Attackers hijacked the links through vanity link registration, allowing them to silently redirect users from trusted sources to malicious servers. | Malware blog | Checkpoint |
| 14.6.25 | Newly identified wiper malware “PathWiper” targets critical infrastructure in Ukraine | Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling “PathWiper.” | Malware blog | CISCO TALOS |
| 13.6.25 | First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted | On April 29, 2025, a select group of iOS users were notified by Apple that they were targeted with advanced spyware. Among the group were two journalists that consented for the technical analysis of their cases. The key findings from our forensic analysis of their devices are summarized below: | Malware blog | THE CITIZENLAB |
| 13.6.25 | Vexing and Vicious: The Eerie Relationship between WordPress Hackers and an Adtech Cabal | On November 13, 2024, Qurium researchers exposed that the Swiss-Czech adtech company Los Pollos was part of VexTrio, the largest and oldest known malicious TDS. | Malware blog | Infoblox |
| 13.6.25 | Attackers Unleash TeamFiltration: Account Takeover Campaign (UNK_SneakyStrike) Leverages Popular Pentesting Tool | Proofpoint threat researchers have recently uncovered an active account takeover (ATO) campaign, tracked as UNK_SneakyStrike, using the TeamFiltration pentesting framework to target Entra ID user accounts. | Malware blog | PROOFPOINT |
| 7.6.25 | DuplexSpy RAT: Stealthy Windows Malware Enabling Full Remote Control and Surveillance | EXECUTIVE SUMMARY At CYFIRMA, we are committed to delivering timely intelligence on emerging cyber threats and adversarial tactics targeting individuals and organizations. | Malware blog | Cyfirma |
| 7.6.25 | GuLoader Brings the Noise — and the Obfuscation | This week the SonicWall Capture Labs threat research team analyzed a sample of GuLoader, a dropper and infostealer capable of harvesting credentials, evading AV, and creating persistence through a variety of techniques. It drops a number of files and uses them as timers and canaries to ensure uptime on the victim system. | Malware blog | SonicWall |
| 7.6.25 | Blitz Malware: A Tale of Game Cheats and Code Repositories | In 2024, we discovered new Windows-based malware called Blitz. This article provides an in-depth analysis of the malware, examines its distribution and reviews Blitz malware's command and control (C2) infrastructure. We found a new version of Blitz in early 2025, which indicates this malware has been in active development. | Malware blog | Palo Alto |
| 7.6.25 | Newly identified wiper malware “PathWiper” targets critical infrastructure in Ukraine | Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling “PathWiper.” | Malware blog | CISCO TALOS |
| 7.6.25 | Demystifying Myth Stealer: A Rust Based InfoStealer | During regular proactive threat hunting, the Trellix Advanced Research Center identified a fully undetected infostealer malware sample written in Rust. | Malware blog | Trelix |
| 1.6.25 | Infostealer Malware FormBook Spread via Phishing Campaign – Part II | Learn how the FormBook payload operates on a compromised machine, including the complicated anti-analysis techniques employed by this variant. | Malware blog | FOTINET |
| 1.6.25 | Lumma Infostealer – Down but Not Out? | The takedown achieved a significant disruption to Lumma infostealers’ infrastructure, but likely didn’t permanently affect most of its Russia-hosted infrastructure. | Malware blog | Checkpoint |
| 1.6.25 | Enhanced Threat Detection: Bootloaders, Bootkits, and Secure Boot | The attack surface Eclypsium set out to defend extends to areas in our systems that many security teams and monitoring tools are either overlooking or trusting someone else has secured for them. | Malware blog | Eclypsium |
| 25.4.25 | Infostealer Malware FormBook Spread via Phishing Campaign – Part I | FortiGuard Labs observed a phishing campaign in the wild that delivered a malicious Word document as an attachment. Learn more. | Malware blog | FOTINET |
| 25.4.25 | HANNIBAL Stealer: A Rebranded Threat Born from Sharp and TX Lineage | EXECUTIVE SUMMARY At CYFIRMA, we are committed to delivering timely intelligence on emerging cyber threats and adversarial tactics targeting individuals and organizations. | Malware blog | Cyfirma |
| 25.4.25 | Technical Malware Analysis Report: Python-based RAT Malware | EXECUTIVE SUMMARY The malware analyzed in this report is a Python-based Remote Access Trojan (RAT) that utilizes Discord as a command-and-control (C2) platform. Disguised as a | Malware blog | Cyfirma |
| 25.4.25 | Introducing ToyMaker, an initial access broker working in cahoots with double extortion gangs | Cisco Talos discovered a sophisticated attack on critical infrastructure by ToyMaker and Cactus, using the LAGTOY backdoor to orchestrate a relentless double extortion scheme. | Malware blog | CISCO TALOS |
| 25.4.25 | A Deep Dive into the Latest Version of Lumma InfoStealer | The Trellix Advanced Research Center has been closely tracking the latest developments in Lumma Infostealer, particularly the recent introduction of sophisticated code flow obfuscation techniques. This report will delve into the threat actors' recent campaign and examine the evolution of their Tactics, Techniques, and Procedures (TTPs). | Malware blog | Trelix |
| 19.4.25 | Around the World in 90 Days: State-Sponsored Actors Try ClickFix | While primarily a technique affiliated with cybercriminal actors, Proofpoint researchers discovered state-sponsored actors in multiple campaigns using the ClickFix social engineering technique for the first time. | Malware blog | PROOFPOINT |
| 19.4.25 | Threat actors misuse Node.js to deliver malware and other malicious payloads | Since October 2024, Microsoft Defender Experts has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information theft and data exfiltration. | Malware blog | Microsoft blog |
| 19.4.25 | BPFDoor’s Hidden Controller Used Against Asia, Middle East Targets | A controller linked to BPF backdoor can open a reverse shell, enabling deeper infiltration into compromised networks. Recent attacks have been observed targeting the telecommunications, finance, and retail sectors across South Korea, Hong Kong, Myanmar, Malaysia, and Egypt. | Malware blog | Trend Micro |
| 19.4.25 | Cascading Shadows: An Attack Chain Approach to Avoid Detection and Complicate Analysis | In December 2024, we uncovered an attack chain that employs distinct, multi-layered stages to deliver malware like Agent Tesla variants, Remcos RAT or XLoader. Attackers increasingly rely on such complex delivery mechanisms to evade detection, bypass traditional sandboxes, and ensure successful payload delivery and execution. The phishing campaign we analyzed used deceptive emails posing as an order release request to deliver a malicious attachment. | Malware blog | Palo Alto |
| 19.4.25 | Unmasking the new XorDDoS controller and infrastructure | Cisco Talos observed the ongoing global spread of the XorDDoS malware, predominantly targeting the United States, with evidence suggesting Chinese-speaking operators are using sophisticated tools to orchestrate widespread attacks. | Malware blog | Palo Alto |
| 19.4.25 | From Shadow to Spotlight: The Evolution of LummaStealer and Its Hidden Secrets | This article is a continuation of the previous research published on the malware LummaStealer: "Your Data Is Under New Lummanagement: The Rise of LummaStealer". | Malware blog | Cybereason |
| 12.4.25 | TsarBot: A New Android Banking Trojan Targeting Over 750 Banking, Finance, and Cryptocurrency Applications | Cyble analyzes TsarBot, a newly identified Android banking Trojan that employs overlay attacks to target over 750 banking, financial, and cryptocurrency applications worldwide. | Malware blog | Cyble |
| 12.4.25 | Beware! Fake ‘NextGen mParivahan’ Malware Returns with Enhanced Stealth and Data Theft | Cybercriminals continually refine their tactics, making Android malware more insidious and challenging to detect. A new variant of the fake NextGen mParivahan malware has emerged, following its predecessor’s deceptive strategies but introducing significant enhancements. Previously, attackers exploited the government’s. | Malware blog | Seqrite |
| 12.4.25 | NEPTUNE RAT : An advanced Windows RAT with System Destruction Capabilities and Password Exfiltration from 270+ Applications | At CYFIRMA, we are committed to providing up-to-date insights into current threats and the tactics used by malicious actors targeting both organizations and individuals. In this report, we will take an in-depth look at the latest version of Neptune RAT, which has been shared on GitHub using a technique involving PowerShell commands: | Malware blog | Cyfirma |
|
29.3.25 |
MoDiRAT Malware Uses Horus Protector to Target France | The SonicWall Capture Labs threat research team has identified a new development in the Horus Protector distributed infection chain. Recently, it has been targeting the French region with MoDiRAT, a malware notorious for stealing credit card and other victim information. | Malware blog | SonicWall |
|
29.3.25 |
Gamaredon campaign abuses LNK files to distribute Remcos backdoor | Cisco Talos is actively tracking an ongoing campaign, targeting users in Ukraine with malicious LNK files which run a PowerShell downloader since at least November 2024. | Malware blog | Cisco Blog |
|
15.3.25 |
Recently, we discovered several new malware samples with unique characteristics that made attribution and function determination challenging. |
|||
| 8.3.25 | Malvertising campaign leads to info stealers hosted on GitHub | Microsoft detected a large-scale malvertising campaign in early December 2024 that impacted nearly one million devices globally. The attack originated from illegal streaming websites embedded with malvertising redirectors and ultimately redirected users to GitHub to deliver initial access payloads as the start of a modular and multi-stage attack chain. | Malware blog | Microsoft blog |
| 8.3.25 | Uncovering .NET Malware Obfuscated by Encryption and Virtualization | We will examine these behaviors in samples we have observed, showing how to extract their configuration parameters through unpacking each stage. Performing this same process through automation would allow a sandbox performing static analysis to extract crucial malware configuration parameters from such samples. | Malware blog | Palo Alto |
| 1.3.25 | Squidoor: Suspected Chinese Threat Actor’s Backdoor Targets Global Organizations | This article reviews a cluster of malicious activity that we identify as CL-STA-0049. Since at least March 2023, a suspected Chinese threat actor has targeted governments, defense, telecommunication, education and aviation sectors in Southeast Asia and South America. | Malware blog | |
| 1.3.25 | RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector | Malware targeting macOS systems is increasingly pervasive in our current threat landscape. Most of the associated threats are cybercrime-related, ranging from information stealers to cryptocurrency mining. Over the past year, we have witnessed an increase in cybercrime activity linked to North Korean nation-state APT groups. | Malware blog | |
| 1.3.25 | Auto-Color: An Emerging and Evasive Linux Backdoor | Between early November and December 2024, Palo Alto Networks researchers discovered new Linux malware called Auto-color. We chose this name based on the file name the initial payload renames itself after installation. | Malware blog | |
|
22.2.25 | Updated Shadowpad Malware Leads to Ransomware Deployment | In this blog entry, we discuss how Shadowpad is being used to deploy a new undetected ransomware family. Attackers deploy the malware by exploiting weak passwords and bypassing multi-factor authentication. | Malware blog | |
|
22.2.25 | Lumma Stealer’s GitHub-Based Delivery Explored via Managed Detection and Response | The Managed XDR team investigated a sophisticated campaign distributing Lumma Stealer through GitHub, where attackers leveraged the platform's release infrastructure to deliver malware such as SectopRAT, Vidar, and Cobeacon. | Malware blog | |
|
22.2.25 | Remcos RAT Targets Europe: New AMSI and ETW Evasion Tactics Uncovered | This loader was seen distributing Async RAT in the past but now it has extended its functionality to Remcos RAT and other malware families. From our analysis, it seems to be targeting European institutions. | Malware blog | |
|
22.2.25 | GCleaner is Packed and Ready to Go | This week, the SonicWall Capture Labs threat research team investigated a sample of GCleaner, a Themida-packed malware variant that downloads and drops additional malware, has C2, heavy anti-analysis/anti-VM, and evasion capabilities. GCleaner will also attempt to infect removable drives by encryption or to spread to other systems. | Malware blog | |
|
22.2.25 |
Fake job offers target software developers with infostealers |
|||
|
22.2.25 |
ESET researchers analyzed a campaign delivering malware bundled with job interview challenges |
|||
|
22.2.25 |
Stately Taurus Activity in Southeast Asia Links to Bookworm Malware |
While analyzing infrastructure related to Stately Taurus activity targeting organizations in countries affiliated with the Association of Southeast Asian Nations (ASEAN), Unit 42 researchers observed overlaps with infrastructure used by a variant of the Bookworm malware. |
||
|
18.1.25 | GhostRAT Plays Effective Hide and Seek | OverviewThis week, the SonicWall Capture Labs threat research team investigated a sample of GhostRAT malware. This highly infectious file is built to be persistent and thorough, with many anti-analysi... | Malware blog | SonicWall |
|
11.1.25 | How Cracks and Installers Bring Malware to Your Device | Our research shows how attackers use platforms like YouTube to spread fake installers via trusted hosting services, employing encryption to evade detection and steal sensitive browser data. | Malware blog | |
|
11.1.25 | Banshee: The Stealer That “Stole Code” From MacOS XProtect | Since September, Check Point Research has been monitoring a new version of the Banshee macOS stealer, a malware linked to Russian-speaking cyber criminals targeting macOS users. | Malware blog |